-
Notifications
You must be signed in to change notification settings - Fork 7
91 lines (77 loc) · 3.36 KB
/
release.yml
File metadata and controls
91 lines (77 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Release
on:
workflow_dispatch:
permissions: {}
jobs:
release:
name: Build, Sign & Release
runs-on: ubuntu-latest
environment: release
permissions:
contents: write # create tag, release, and upload assets
id-token: write # Sigstore OIDC keyless signing
attestations: write # SLSA build provenance
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Extract version from script
id: version
run: |
version=$(grep -m1 '^AGENT_VERSION=' stepsecurity-dev-machine-guard.sh | sed 's/AGENT_VERSION="//;s/"//')
if [ -z "$version" ]; then
echo "::error::Could not extract AGENT_VERSION from script"
exit 1
fi
tag="v${version}"
echo "version=${version}" >> "$GITHUB_OUTPUT"
echo "tag=${tag}" >> "$GITHUB_OUTPUT"
echo "Detected version: ${version} (tag: ${tag})"
- name: Check tag does not already exist
run: |
if git rev-parse "refs/tags/${{ steps.version.outputs.tag }}" >/dev/null 2>&1; then
echo "::error::Tag ${{ steps.version.outputs.tag }} already exists. Bump AGENT_VERSION in the script before releasing."
exit 1
fi
- name: Install cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Sign script with Sigstore (keyless)
run: |
cosign sign-blob stepsecurity-dev-machine-guard.sh \
--bundle stepsecurity-dev-machine-guard.sh.bundle \
--yes
- name: Verify signature
run: |
cosign verify-blob stepsecurity-dev-machine-guard.sh \
--bundle stepsecurity-dev-machine-guard.sh.bundle \
--certificate-identity-regexp "github.com/step-security/dev-machine-guard" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
- name: Generate checksums
run: |
sha256sum stepsecurity-dev-machine-guard.sh > checksums.txt
sha256sum stepsecurity-dev-machine-guard.sh.bundle >> checksums.txt
echo "Checksums:"
cat checksums.txt
- name: Create tag
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
git push origin "${{ steps.version.outputs.tag }}"
- name: Create GitHub Release
uses: step-security/action-gh-release@d45511d7589f080cf54961ff056b9705a74fd160 # v2.5.0
with:
tag_name: ${{ steps.version.outputs.tag }}
name: ${{ steps.version.outputs.tag }}
generate_release_notes: true
files: |
stepsecurity-dev-machine-guard.sh
stepsecurity-dev-machine-guard.sh.bundle
checksums.txt
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: stepsecurity-dev-machine-guard.sh